Events

#TROOPERS25 AD & Entra ID Security Track

The #TROOPERS25 ‘AD & Entra ID Security’ track was a blast – as was the whole conference 😉 –  bringing together some of the smartest researchers in the field and a great audience of practitioners willing to share their experiences during the roundtable. The slides of the talks have been released in the interim on the TROOPERS website, but since many speakers published additional blogposts or released tools, we provide a compilation of resources from the track in the following.

See you folks next year at #TROOPERS26!

Continue reading “#TROOPERS25 AD & Entra ID Security Track”

Continue reading
Breaking

Security Advisory: Airoha-based Bluetooth Headphones and Earbuds

Important note: Some media coverage on this topic falsely or inaccurately depicts the attack conditions. To be clear: Any vulnerable device can be compromised if the attacker is in Bluetooth range. That is the only precondition.


During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference.

Continue reading “Security Advisory: Airoha-based Bluetooth Headphones and Earbuds”

Continue reading
Misc

Windows Hello for Business – Past and Present Attacks

Windows Hello for Business is a key component of Microsoft’s passwordless authentication strategy. It enables user authentication not only during system sign-in but also in conjunction with new and advanced features such as Personal Data Encryption, Administrator Protection, and Recall. Rather than depending on traditional passwords, Windows Hello leverages a PIN or biometric methods – such as fingerprint or facial recognition – to unlock cryptographic keys protected by the Trusted Platform Module (TPM).

Continue reading “Windows Hello for Business – Past and Present Attacks”

Continue reading
Building, Misc

BMBF UNCOVER – Monitoring von Sicherheitsvorfällen in Fahrzeugen

English Abstract

For the realization and introduction of autonomous vehicles, the safe interaction of functions, systems and services as well as their monitoring over the entire product life cycle is essential. An exclusive security-by-design approach is no longer sufficient and must be continuously supported by feedback obtained from in-the-wild operation. This is where the recently successfully completed joint project BMBF UNCOVER comes into play, which targets the requirements of the standards ISO/SAE 21434 (Road vehicles – Cybersecurity engineering) and ISO 21448 (Road vehicles – Safety of the intended functionality (SOTIF)).

Continue reading “BMBF UNCOVER – Monitoring von Sicherheitsvorfällen in Fahrzeugen”

Continue reading
Breaking

Lua-Resty-JWT Authentication Bypass

I was writing some challenges for PacketWars at TROOPERS22. One was intended to be a JWT key confusion challenge where the public key from an RSA JWT should be recovered and used to sign a symmetric JWT. For that, I was searching for a library vulnerable to JWT key confusion by default and found lua-resty-jwt. The original repository by SkyLothar is not maintained and different from the library that is installed with the LuaRocks package manager. The investigated library is a fork of the original repository, maintained by cdbattags in version 0.2.3 and was downloaded more than 4.8 million times according to LuaRocks.

While looking at the source code I found a way to circumvent authentication entirely.

Continue reading “Lua-Resty-JWT Authentication Bypass”

Continue reading
Breaking

All your parcel are belong to us – Talk at Troopers 2023

At Troopers 2023, we gave a talk on how to attack DHL parcel tracking information based on OSINT. Since we previously had an exemplary disclosure process about this attack with DHL, Mr. Kiehne (from DHL) joined us to provide interesting background information and insights on how they addressed our findings.

Continue reading “All your parcel are belong to us – Talk at Troopers 2023”

Continue reading
Events

Summary of “Software-Defined Radio applied to security assessments” at Troopers21

The training Software-Defined Radio applied to security assessments was held by Sébastien Dudek at Troopers21 and was remotely organized – like most other events – due to Covid-19. Once we were all caffeinated, we had an exciting journey through basically all things radio.

Continue reading “Summary of “Software-Defined Radio applied to security assessments” at Troopers21″

Continue reading
Events

TROOPERS20 Training Teaser: Attack And Defence In AWS: Chaining Vulnerabilities To Go Beyond The OWASP Top 10

Attackers are everywhere. They are now on the cloud too! Attacking the most popular cloud provider – AWS, requires the knowledge of how different services are setup, what defences do we need to bypass, what service attributes can be abused, where can information be leaked, how do I escalate privileges, what about monitoring solutions that may be present in the environment and so on! We try to answer these questions in our intense, hands-on scenario driven training on attacking and subsequently defending against the attacks on AWS.

As an attacker or defender, if you have ever asked any of the following questions, this training is for you:

  • Is there a process to attacking the cloud or do we go after the services as and when they are discovered?
  • Is SSRF the only vulnerability to access the metadata service on EC2?
  • How do I use stolen AWS secret keys to attack further?
  • How do I hide cover my tracks in AWS environment?
  • If I can’t see a service due to security group, can I still attack it?
  • How do I create better wordlists to discover and exploit S3 buckets that have uncommon names?
  • Can I impersonate other users within AWS?
  • Is there a way to extract secrets from AWS Lambda?
  • How do I prevent credential compromise in AWS?
  • How can I be sure there is no attacker already within my cloud infrastructure?
  • How do I enumerate and move between accounts that are part of AWS organisations?

Continue reading “TROOPERS20 Training Teaser: Attack And Defence In AWS: Chaining Vulnerabilities To Go Beyond The OWASP Top 10”

Continue reading
Events

TROOPERS20 Training Teaser: Hacking Node.js & Electron apps, shells, injections and fun!

Did you know that in the ever evolving field of Web and Desktop apps, it turns out these can all now be powered with JavaScript? You read that right: JavaScript is now used to power both web apps (Node.js) as well as Desktop apps (Electron). What could possibly go wrong?

So, the burning question is: how does this affect Web and Desktop app security? If you want to find out, come to our training and you will experience this in a 100% hands-on fashion! 🙂

You will learn about how to hack Web and Desktop apps, with a special focus in JavaScript attack vectors tailored for Node.js and Electron but also broader attack vectors that will also work against regular Web and Desktop apps.

What are the main attack vectors against Web and Desktop apps? How can apps defend against these? How do JavaScript frameworks change this? Come to find out!

Continue reading “TROOPERS20 Training Teaser: Hacking Node.js & Electron apps, shells, injections and fun!”

Continue reading